OpenWrt Forum Archive

Topic: After reboot, openvpn link in rc.d for autostart is removed, why/how?

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
spongioblast
25 Feb 2018, 00:30

I'm running a tap openvpn server on LEDE Reboot 17.01.4 on a GL-AR300M. Everything works fine, I can start the service under the system->startup tab and connect to it fine. I can also start the vpn via the luci openvpn interface. I can connect to it and it all runs fine. Configered via luci-app-openvpn.

If I enable the openvpn for autostart with /etc/init.d/openvpn enable, a link to the script is successfully created in /etc/rc.d/S99openvpn.
However if I reboot the device, the link is removed and autostart disabled. The service didn't start and I can't find anything in the system log file.

Could somebody point me into the right direction on finding what causes this? Could it have anything to do with the router connecting via the wifi as a client to another router?

Cheers

Below the openvpn script, except for start and stop its untouched.

#!/bin/sh /etc/rc.common
# Copyright (C) 2008-2013 OpenWrt.org
# Copyright (C) 2008 Jo-Philipp Wich
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.

START=98
STOP=99

USE_PROCD=1
PROG=/usr/sbin/openvpn

LIST_SEP=""

UCI_STARTED=
UCI_DISABLED=

append_param() {
    local s="$1"
    local v="$2"
    case "$v" in
        *_*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
        *_*_*)   v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
        *_*)     v=${v%%_*}-${v#*_} ;;
    esac
    echo -n "$v" >> "/var/etc/openvpn-$s.conf"
    return 0
}

append_bools() {
    local p; local v; local s="$1"; shift
    for p in $*; do
        config_get_bool v "$s" "$p"
        [ "$v" = 1 ] && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf"
    done
}

append_params() {
    local p; local v; local s="$1"; shift
    for p in $*; do
        config_get v "$s" "$p"
        IFS="$LIST_SEP"
        for v in $v; do
            [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
            [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
        done
        unset IFS
    done
}

section_enabled() {
    config_get_bool enable  "$1" 'enable'  0
    config_get_bool enabled "$1" 'enabled' 0
    [ $enable -gt 0 ] || [ $enabled -gt 0 ]
}

openvpn_add_instance() {
    local name="$1"
    local dir="$2"
    local conf="$3"

    procd_open_instance
    procd_set_param command "$PROG"    \
        --syslog "openvpn($name)" \
        --status "/var/run/openvpn.$name.status" \
        --cd "$dir" \
        --config "$conf"
    procd_set_param file "$dir/$conf"
    procd_set_param respawn
    procd_append_param respawn 3600
    procd_append_param respawn 5
    procd_append_param respawn -1
    procd_close_instance
}

start_instance() {
    local s="$1"

    config_get config "$s" config
    config="${config:+$(readlink -f "$config")}"

    section_enabled "$s" || {
        append UCI_DISABLED "$config" "$LIST_SEP"
        return 1
    }

    [ ! -d "/var/run" ] && mkdir -p "/var/run"

    if [ ! -z "$config" ]; then
        append UCI_STARTED "$config" "$LIST_SEP"
        openvpn_add_instance "$s" "${config%/*}" "$config"
        return
    fi

    [ ! -d "/var/etc" ] && mkdir -p "/var/etc"
    [ -f "/var/etc/openvpn-$s.conf" ] && rm "/var/etc/openvpn-$s.conf"

    append_bools "$s" $OPENVPN_BOOLS
    append_params "$s" $OPENVPN_PARAMS

    openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
}

start_service() {
    . /usr/share/openvpn/openvpn.options
    config_load 'openvpn'
    config_foreach start_instance 'openvpn'

    local path name
    for path in /etc/openvpn/*.conf; do
        if [ -f "$path" ]; then
            name="${path##*/}"; name="${name%.conf}"

            # don't start configs again that are already started by uci
            if echo "$UCI_STARTED" | grep -qxF "$path"; then
                continue

            # don't start configs which are set to disabled in uci
            elif echo "$UCI_DISABLED" | grep -qxF "$path"; then
                logger -t openvpn "$name.conf is disabled in /etc/config/openvpn"
                continue
            fi

            openvpn_add_instance "$name" "${path%/*}" "$path"
        fi
    done
}

service_triggers() {
    procd_add_reload_trigger openvpn
}

(Last edited by spongioblast on 25 Feb 2018, 00:46)

Post #2
spongioblast
26 Feb 2018, 13:30

I might be closer to the issue:
On my client log I found the dhcp-option not to be working:

Mon Feb 26 13:22:47 2018 us=231032 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.99.1 redirect-gateway   def1 local,route-gateway 192.168.99.1,ping 10,ping-restart 120,ifconfig 192.168.99.200 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Feb 26 13:22:47 2018 us=231032 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: dhcp-option (2.4.4)

It seems a comma is missing between "dhcp-option DNS 192.168.99.1" and "redirect-gateway   def1 local"

Does anybody know what might be causing this?

Here is the server config:

config openvpn 'lan_openvpn_server_aml'
    list push 'dhcp-option DNS 192.168.99.1'
    list push 'redirect-gateway def1 local'
    option enable '1'
    option port '1194'
    option dev 'tap0'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/sydney_vpn_server.crt'
    option key '/etc/openvpn/sydney_vpn_server.key'
    option dh '/etc/openvpn/dh.pem'
    option ifconfig_pool_persist '/tmp/ipp.txt'
    option keepalive '10 120'
    option comp_lzo 'yes'
    option persist_key '1'
    option persist_tun '1'
    option status '/tmp/openvpn-status.log'
    option verb '3'
    option server_bridge '192.168.99.1 255.255.255.0 192.168.99.200 192.168.99.219'
    option tls_server '1'
    option mode 'server'
    option enabled '1'

and client config:

remote xxxxx 1194
client

dev tap
proto udp
auth-nocache
resolv-retry infinite
nobind
persist-tun
persist-key
ca ca.crt
cert familyhome.crt
key familyhome.key

comp-lzo
verb 5

remote-cert-tls server

If I remove either of the push instructions it works fine:

    list push 'dhcp-option DNS 192.168.99.1'
    list push 'redirect-gateway def1 local'

Last test was removing 

list push 'redirect-gateway def1 local'

on the server side and adding to the client config the following:

redirect-gateway def1

Now the whole setup works fine. However I should be able to configure this on the server side no?

(Last edited by spongioblast on 26 Feb 2018, 13:41)

The discussion might have continued from here.